This is a predictable enterprise scenario I come across quite often. In fact, the formula is almost always the same: criminal mind + trusting users to do the right thing + minimal endpoint security = exposure of sensitive information. When a laptop is lost, there's a lot to be done in a short time, and it's best to err on the side of caution even if you believe nothing sensitive was stored on it.
What to do
Instead of pointing fingers and placing blame, it's best to focus on the important elements that help you stay focused on the business task at hand. Listed below are a few key steps to take if someone in your organization loses a laptop or has it stolen. These measures will help you respond rather than react and will get you back on the road to recovery, minimizing any future worries.
- Contact the local law enforcement agency where the property is thought to have been lost or stolen.
- Notify your compliance officer, marketing and PR managers, legal counsel, and any others with a vested interest so they can prepare to respond in their areas of responsibility, such as media inquiries and customer notification.
- Look at any recent backups of the system you may have in order to determine what is likely to have been on the machine when it was lost or stolen.
- Change any WEP or WPA/WPA2 pre-shared keys on your wireless network to keep the person who recovered it from accessing your network.
- Change the user's network, email, Web, database, or other application passwords to prevent any unauthorized system use and abuse.
- Change any other user or administrator passwords that may have been present on the operating system or related applications in case that information is recovered.
- Hope and pray for the best! It could very well be that the system wasn't fully breached, was reformatted and sold for cash, or may soon be returned.
Doing the right things
Once you get back on track after responding to the breach, it may be time to step back and assess how security breaches and overall information risk are managed in your organization. The most important thing to do is to see where you're vulnerable. Look at a sampling of laptops to see just how susceptible they are to information breach if they're lost or stolen. Pretend you're a bad guy who just came across a laptop. What can be done with the information stored on it, including word processor and spreadsheet files stored in the Windows Documents and Settings folder, any temporary directories, or even the desktop.
Furthermore, try to uncover passwords in areas that many people don't think about -- Windows .pwl files, protected storage elements, VPN client software, and more. I recommend Elcomsoft's Proactive System Password Recovery tool. Many people don't realize that all this information is stored and readily accessible once someone has their laptop.
Next, you need to update your existing security incident response plan or create a new one. Such a plan consists of the who, what, when, where and how steps outlining how breaches are handled. A solid incident response plan will have the following sections:
- Team member contact information
- Testing procedures
- Record keeping
Finally, look into laptop security controls -- whole disk encryption and more -- which I outline here and can help enforce your policies, support your incident response plan, and manage information risks.
Looking ahead, remember that the problem of losing a mobile device that leads to information exposure is not limited to laptops. It also applies to smartphones, PDAs, and any other electronic device that stores even the least bit of enterprise information that can be easily recovered. Without a plan, suitable technical controls, and mobile device oversight, the lost laptop dilemma will continue to haunt you and your organization. Who has time – or the nerve – to deal with that?
About the author: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.
This was first published in September 2006